I would like to suggest that the OSX installer automatically run "Install Certificates.command", or display a prompt to users saying "Run Now" during installation.
Having the readme is helpful - but only after you google for 20 minutes, because of an exception you encountered. Of course nobody reads the readme during install. "I've installed python a thousand times before, I know what I'm doing."
There are so many things that require SSL, and it's reasonably assumed to be functional by default.

> I would like to suggest that the OSX installer automatically run "Install Certificates.command", or display a prompt to users saying "Run Now" during installation.
+1 This would be really helpful. I occasionally get entire rooms full of Mac users with a fresh install of Python 3.6 who immediately get stuck with something as simple as:
urllib.request.urlopen('http://www.python.org').read()
The error messages that pop up are decidedly unhelpful. This is especially mystifying because the original request uses "http" and the site itself redirects to "https".

Tommy, you should ask your question elsewhere, like on Stackoverflow or on the Python mailing list. It does not seem related to this issue at all or to indicate a problem with Python itself. (For the record, the Python Developer's Guide has some good tips on how to build Python for macOS and other platforms; see https://devguide.python.org/setup/#build-dependencies)

Thanks for your suggestions. I agree that the Root Certificates and OpenSSL situation on macOS is still less than desirable. For 3.7.0b2, I have tried to make things more obvious in two ways. One, the installer package will now attempt to open a Finder window for the /Application/Python 3.7 folder that contains the "Install Certificates.command". Two, rather than just a generic "installation complete" message at the end of the install, there is now a tailored message that urges the user to click on the "Install Certificates.command" icon. I considered trying to run the command automatically from the installer but that gets a bit messy: 1. it requires a network connection; 2. the installer would need to ensure the installation takes place with the right user and group permission and not just as root; 3. the user might not want to use certifi; and 4. the solution needs to work across all macOS versions supported by the installer variant. Also, it appears the installer doesn't allow command files to be executed by clicking on a link in the installer window, a prudent security measure. While not perfect, I think what's now in 3.7.0b2 should be an improvement, at least it will be much harder to overlook without being too obnoxious about it.